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Abstract 

Guttman presented a model-theoretic approach to estabhshing se- 
curity goals in the context of Strand Space theory. In his approach, a 
run of the Cryptographic Protocol Shapes Analyzer (cpsa) produces 
models that determine if a goal is satisfied. 

This paper presents a method for extracting a sentence that com- 
pletely characterizes a run of CPSA. Logical deduction can then be 
used to determine if a goal is satisfied. This method has been imple- 
mented and is available to all. 

1 Introduction 

A central problem in cryptographic protocol analysis is to determine whether 
a formula that expresses a security goal about behaviors compatible with a 
protocol is true. Following [6], a security goal is a quantified implication: 

vx(<i>oD V ^y^"^^)- (1) 

l<i<n 

The hypothesis $0 is a conjunction of atomic formulas describing regular 
(honest) behavior. Each disjunct $j that makes up the conclusion is also 
a conjunction of atomic formulas. When $j describes desired behaviors of 
other regular participants, then the formula is an authentication goal. The 
goal says that each run of the protocol compatible with $0 will include the 
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regular behavior described by one of the disjuncts. When n = 0, the goal's 
conclusion is false. If $o mentions an unwanted disclosure, ([T]) says the 
disclosure cannot occur, thus a security goal with n = expresses a secrecy 
goal. 

Guttman |6] presented a model-theoretic approach to establishing security 
goals in the context of Strand Space theory. In that setting, a skeleton 
describes regular behaviors compatible with a protocol. For skeleton k and 
formula he defined k,a \= $ to mean that the conjunction of atomic 
formulas that make up $ is satisfied in k with variable assignment a. 

A realized skeleton is one that includes enough regular behavior to spec- 
ify all the non-adversarial part of an execution of the protocol. In a realized 
skeleton, its message transmissions combined with possible adversarial be- 
havior explain every message reception in the skeleton. 

In Strand Space theory, a homomorphism is a structure-preserving map 5 
that shows how the behaviors in one skeleton are reflected within another. 
As skeletons serve as models, homomorphisms preserve satisfaction for con- 
junctions of atomic formulas. 

The Cryptographic Protocol Shapes Analyzer (cpsa) constructs homo- 
morphisms from a skeleton ko to realized skeletons [9]. If CPSA termi- 
nates, it generates a set of realized skeletons ki and a set of homomorphisms 
6i: ko ki. These realized skeletons are all the minimal, essentially different 
skeletons that are homomorphic images of /cq and are called the shapes of the 
analysis. 

Guttman proposed a recipe for evaluating goal ([1]) based on the following 
two technical results. 

• For any security hypothesis $o there is a skeleton ko that characterizes 
it in the sense that for all k: 

3q! A;, a 1= $0 iff ^SS: ko k 

• There exists a realized skeleton that is a counterexample to ([T]) iff there 
exists some shape in the analysis of ko that is a counterexample. 

These two results justify the following procedure. 

1. Construct a characteristic skeleton ko for $o- 

2. Ask CPSA for the shapes produced by analyzing ko. 
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3. As CPSA delivers shapes, check that each satisfies some disjunct 

4. If the answer is no, this shape is a counterexample to ([1]). 

5. If CPSA terminates with no counterexample, then ([1]) is achieved. 

Implementing Security Goals. CPSA now has support for security goals, 
but not as specified by Guttman. Part of the reason for the difference is that 
the details of the formalism that underlies the CPSA implementation [11] 
dictate changes to the logic of security goals. These details will be elaborated 
later in this paper. 

The key difference is a change in perspective. Instead of finding a formula 
that characterizes a security hypothesis, CPSA includes a tool that extracts 
a sentence that characterizes a shape analysis. This so called shape analysis 
sentence is special in that it encodes everything that can be learned from the 
shape analysis. 

Given a shape analysis sentence, a security goal is achieved if the goal 
can be deduced from the sentence. CPSA includes a Prolog program that 
translates shape analysis sentences into ProverQ [8] syntax. Typically, a goal 
that is a theorem is quickly proved by Prover9. 

There is another advantage to this approach. It can be tedious to generate 
security goals. Realistic ones can be large and complicated. An easy way 
to create one is to modify a shape analysis sentence. This typically involves 
deleting parts of the conclusion. 

There is a disadvantage to this approach. When a goal cannot be de- 
duced from a shape analysis sentence, one cannot conclude that there is a 
counterexample. It could be simply that the sentence is not relevant to the 
security goal. 

Motivating Example. The running example used throughout this paper 
is now presented. An informal version of the example is presented here, and 
the example with all of the details filled is in Section |H 

The following protocol is a simplified version of the Denning-Sacco key 
distribution protocol [1] due to Bruno Blanchet pQ. 

A^B:{\{\s\}^-.\}, 
B^A: {\d\}s 
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Alice (A) freshly generates symmetric key s, signs the symmetric key with 
her private uncompromised asymmetric key a^^ and intends to encrypt it 
with Bob's (B) uncompromised asymmetric key b. Alice expects to receive 
data d encrypted, such that only Alice and Bob have access to it. 

The protocol was constructed with a known flaw for expository purposes, 
and as a result the secret is exposed due to an authentication failure. The 
protocol does not prevent Alice from using a compromised key b', so that 
Mallory (M) can perform this man-in-the-middle attack: 



M 

M ^ B 
B^ E 



fl{l4a-|}6' 

{I{l4a-|}6 



The protocol fails to provide a means for Bob to ensure the original 
message was encrypted using his key. The authentication failure is avoided 
with this variation of the protocol: 

A^B:UsMa-^h 
B^A-.m, 

In Strand Space Theory, a strand is a linearly ordered sequence of events 
eo =^ • • • e„_i, and an event is either a message transmission • — > or a 
reception • <(— . In CPS A, adversarial behavior is not explicitly represented, 
so strands always represent regular behavior. 

Regular behavior is constrained by a set of roles that make up the proto- 
col. In this protocol, Alice's behaviors must be compatible with an initiator 
role, and Bob's behaviors follow a responder role. 

init resp 

•--Us\}a-A}» Ms\}a-4l>^* (3) 

{\d\}s Ms- • 

The important authentication goal from Bob's perspective is that if an 
instance of a responder role runs to completion, there must have been an 
instance of the initiator role that transmitted its first message. Furthermore, 
assuming the symmetric key is freshly generated, and the private keys are 
uncompromised, the two strands agree on keys used for signing and encryp- 
tion. 
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A CPSA analysis of the authentication goal requires two inputs, a speci- 
fication of the roles that make up the protocol, as in Eq. |3], and a question 
about runs of the protocol. The question in this case is the hypothesis of 
Eq. m that an instance of the responder role ran to completion. In these 
diagrams, a strand instantiated from a role is distinguished from a role by 
placing messages above communication arrows, and >- is used to assert an 
event occurred after another. 



resp resp init 

imphes • ^ • f4) 



^ M}s li 



{Ml}. 



CPSA produces the conclusion in Eq. HI that an instance of the initiator 
role must have transmitted its first message, but it does not conclude that 
the strands agree on the key used for the outer encryption. When CPSA is 
run using the amended protocol in Eq. [2], the strands agree on the key, and 
the authentication goal is achieved. 

The contribution of this paper is a method of formalizing security goals 
and the results of a CPSA analysis in first-order logic such that whenever 
a CPSA analysis demonstrates that a security goal is achieved, the logical 
sentence associated with the security goal will be deducible from the shape 
analysis sentence with the relevant CPSA analysis. The sentences associated 
with this example are presented in Section HI 



Some Related Work. This paper is the result of implementing security 
goals as described in Guttman The original motivation for extracting 
shape analysis sentences rather than following the procedure in fB] was ease 
of implementation. With shape analysis sentences, most of the work is per- 
formed by a post-processing stage, and there were only a few changes made 
to the core CPSA program. Only later it was realized the sense in which shape 
analysis sentences completely characterize a shape analysis. 

The Scyther tool [2] integrates security goal verification with its core 
protocol analysis algorithm. Security goals are easy to state as long as they 
can be expressed using a predefined vocabulary, however, there is no sense 
in which Scyther goals characterize an analysis. 

The Protocol Composition Logic ^ provides a contrasting approach to 
specifying security goals. It extends strand spaces by adding an operational 
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Sorts: 

Subsorts: 

Operations: 



Equations: {x 



T, A, S, D 

A<T, S<T, D<T 
T X T ^ T 
T X A ^ T 
T X S ^ T 
A ^ A 
S ^ S 

= X for X : A 
y for y : S 



(-,■) 

{| 
{| 



■ l}(-) 

■ l}(-) 

-1 

-1 
-1 



Pairing 

Asymmetric encryption 
Symmetric encryption 
Asymmetric key inverse 
Symmetric key inverse 



Figure 1: Simple Crypto Algebra Signature 



semantics as a small set of reduction rules, and a run of a protocol is a 
sequence of reduction steps derived from an initial configuration. The logic 
is a temporal logic interpreted over runs. The logic is more expressive than 
what is described within this paper at the cost of added complexity. 



Structure of this Paper. Section |2] describes the formalism on which 
CPSA is built, Section |3] presents the logic built upon that formalism, and 
Section H] displays the example above in full detail. 



Notation. A finite sequence is a function from an initial segment of the 
natural numbers. The length of a sequence X is \X\, and sequence X = 
{X{0), . . . , X{n — 1)) for n = \X\. If is a set, then S* is the set of finite 
sequences over S, and is the non-empty finite sequences over S. The 
prefix of sequence X of length n is X \ n. 



2 Message Algebras and Homomorphisms 

The two details of CPSA's formalism that dictate changes to the logic of 
security goals are the fact that in CPSA, a message algebra is an order-sorted 
quotient term algebra and homomorphisms are strand-oriented, not node- 
oriented. The issues surrounding homomorphisms will be described later. 

An order-sorted algebra is a generalization of a many-sorted algebra in 
which sorts may be partially ordered [3]. The carrier sets associated with 
ordered sorts are related by the subset relation. 
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Figure [T] shows the simphfication of the CPSA message algebra signature 
used by the examples in this paper. Sort T is the sort of all messages. Mes- 
sages of sort S (symmetric keys), sort A (asymmetric keys), and sort D (data) 
are called atoms. Messages are generated from the atoms using encryption 
{| ■ |}(.) and pairing (-, ■), where the comma operation is right associative and 
parentheses are omitted when the context permits. 

Each variable in an order-sorted term has a unique sort. We write 
x: S,y: A,z: T for the set of variables {x,y,z} with sort mapping {x 
S, 2/ A, z I— )■ T} and call it a variable set. 

The quotient term algebra generated by variable set X over the signature 
in Figure [T] is written Six- It is the carrier set of sort T. The canonical 
representative of each member of 2lx is the term with the fewest occurrences 
of the (■)~^ operation. Unification and matching can be implemented in such 
a way that only canonical terms are considered flU\ Appendix B]. 

A message to is carried by ti, written to C ti if to can be derived from ti 
given the right set of keys, that is C is the smallest reflexive, transitive 
relation such that to ^ to, io ^ (^O)^i)) ^ (^O)^i)) and to ^ {|to|}ii- 

The use of a message algebra that is order-sorted dictates that the logic 
used to express the characteristic sentence associated with a shape analysis 
is also order-sorted. Furthermore, the signature for the logic must inherit 
the sorts and subsort relations from the message algebra. 

Implementation-Oriented Strand Spaces. A run of a protocol is viewed 
as an exchange of messages by a finite set of local sessions of the protocol. 
Each local session is called a strand [12]. The behavior of a strand, its trace, 
is a non-empty sequence of messaging events. An event is either a message 
transmission or a reception. Outbound message t e 2lx is written as +t, and 
inbound message t is written as —t. A message originates in a trace if it is 
carried by some event and the first event in which it is carried is outbound. 

A strand space Qx is a finite map from a set of strands to their traces. 
CPSA represents a set of strands as an initial segment of the natural numbers, 
therefore, a strand space is a sequence of traces. The nodes of a strand space 
are nodes{Qx) = {{s,i) \ s G Dora{Qx),0 < i < \Qx{s)\}. The event at 
node n = (s, i) is evte{s, i) = 9(s)(z). 

In an execution, a message that originates in exactly one trace is uniquely 
originating, and represents a freshly chosen value. A message that originates 
nowhere and is never used by the adversary to decrypt or encrypt a message 
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is non- originating, and represents an uncompromised key. 

A protocol P is a finite set of traces, wliicli are tlie roles of the protocol. 
Strand s G Dom{Qx) is an elaboration of role r G P if Qx{s) is a prefix of 
the result of applying some substitution a to r. An example of a protocol is 
in Eq. [6] in Section HI 

Skeletons. A skeleton represents all or part of the regular portion of an 
execution. A skeleton contains a strand space, a partial ordering of its nodes, 
assumptions about uncompromised keys and freshly generated atoms, and 
role associations. 

A skeleton k = kx{rl, P, Qx, -<, N,U), where rl : Dom{Qx) — -P is a role 
map, -< is a strict partial ordering of the nodes, is a set of atoms, none 
of which originate in a trace in Qx, and [/ is a set of atoms, all of which 
originate in no more than one trace in G^. In addition, -< must order the 
node for each event that receives a uniquely originating atom after the node 
of its transmission, so as to model the idea that the atom represents a value 
freshly generated when it is transmitted. 

The above definition of a skeleton is useful for defining the semantics of 
shape analysis sentences, but it does not reflect the syntax used by CPSA. 
In CPSA syntax, the trace and the role associated with a strand is specified 
by an instance. An instance is of the form '\{r,h,a), where r is a role, h 
specifies the length of a trace instantiated from the role, and a specifies how 
to instantiate the variables in the role to obtain the trace. Thus the trace 
associated with i(r, h,a) is a o r \ h, the prefix of length h that results from 
applying cr to r. 

In the CPSA syntax, the role map and sequence of traces are replaced 
by a sequence of instances. So for skeleton kx{rl, P, Qx, -<, N, U), the CPSA 
syntax is kx{P, I , ^, N,U), where for each s G Dom{Qx), I{s) = \{r,h,a), 
r = r/(s), and the trace of \{r,h,a) is Qx{s). 

Two examples of skeletons are displayed in Figure |2] in Section HI 

Homomorphisms. Let ko = kx{rlQ, P, Qq, -<q, Nq, Uq) and ki = ky(r/i, P, 
©1, -<i, Ai, Ui) be skeletons. There is a skeleton homomorphism (0, a): k^ 
ki if (j) and a are maps with the following properties: 

1. (j) maps strands of k^ into those of ki, and nodes as i)) = (</>(s), i), 
that is is in DomiQo) — )■ Dom{Qi)\ 



8 



2 



cr : 2tx — i- 2ly is a message algebra homomorphism; 
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n G no(ies(6o) implies a{evtQg{n)) = evtQ^{(j){n))] 
no -<o ni implies 0(no) -<i 

t e Uo implies 0(CfeoW) ^ C'fei(^W); 



where is the set of nodes of events at which t originates. Item [7] says 

the node at which an atom declared to be uniquely originating is preserved 
by homomorphisms. Note that is a strand mapping, not a node mapping 
as in [S]. 

3 Shape Analysis Sentences 

Given the definitions in the previous section, the language C{P) used for 
shape analysis sentences is quite constrained. The signature for terms ex- 
tends the one used for the underlying message algebra with a sort N, the sort 
of natural numbers, and two new operations, constant zero: N, and the suc- 
cessor function succ: N — i- N. The text uses the usual numerals for natural 
numbers. Variables of this sort will denote strands. 

Shape formulas make use of protocol specific predicates and protocol inde- 
pendent predicates. For each role r E P, 1 < h < \r\, and variable x: S that 
occurs in r I /i, there is a protocol specific binary predicate P[r, h,x]: N x S". 
For reasons that will become evident when their semantics is defined, each 
protocol specific predicate is called a strand progress predicate. The protocol 
independent predicate of arity four is prec: N x N x N x N. The proto- 
col independent unary predicates are non: B and uniq: B for each atomic 
sort B G {A, S, D}, and the protocol independent ternary predicates are 
orig: i? X N X N. The predicate false has arity zero and, of course, equality 
is binary. 

We define )C{k) = {Y, $), where ^ is A;'s skeleton formula, and Y is the 
formula's variable set. Using the CPSA skeleton syntax presented in Section[2l 
let k = kx{P, I , -<, N,U). The variable set y is X augmented with a fresh 
variable Zg-. N for each strand s G Dom{I). The formula $ is a conjunction 
of atomic formulas composed as follows. 
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• For each s G Dom{I), let I{s) = \{r,h,a). For each variable x G 
Dom{a) and term t = a{x), assert P[r, h, x]{zs, t). 

• For each {s,i) -< {s',i'), assert prec{zs, i, Zs',i'j^. 

• For each t & N, assert non(t). 

• For each t E U, assert uniq(t). 

• For each t eU and G Ok(t), assert or\g{t, Zs,i). 

Given a set of homomorphisms (5j : kg ^ ki, its shape analysis sentence is 
S{6i: ko ^ h) = VXo(<l'o ^\J^X,{A, A $,)), (5) 

i 

where /C(fco) = {Xq, $o)- The same procedure produces Xi and $j for shape ki 
with one proviso — the variables in X^ that also occur in Xq must be renamed 
to avoid trouble while encoding the structure preserving maps 5i. 

The structure preserving maps 5i = {(f)i,ai) are encoded in Aj by a con- 
junction of equalities. Map cTj is coded as equalities between a message 
algebra variable in the domain of ai and the term it maps to. Map (pi 
is coded as equalities between strand variables in $o ^-nd strand variables 
in $j. Let Zq be the sequence of strand variables freshly generated for ko, 
and Zi be the ones generated for ki. The strand mapping part of Aj is 

An example shape analysis sentence is displayed in Figure El The strand 
progress predicate P[r, h, x]{z,t) is written rh,x{z,t) with the protocol left 
implicit. 

Semantics of Skeleton Formulas. Let k = kx{rl, P,Q, -<, N,U). The 
universe of discourse is 2) = NU2tx- When formula $ is satisfied in skeleton k 
with variable assignment a: y — t- 2), we write k,a \= $. When sentence E 
is satisfied in skeleton k, we write k \= S. 

For each protocol specific predicate P[r,h,x], k,a \= P[r, h, x]{y, z) iff 
a{y) G N, a{z) G 21, and with a{y) = s, 

^In the code that extracts a shape analysis sentence, the prec predicate is not asserted 
for strand succession, and only for communication when it is in the transitive reduction 
of the -< relation. Sometimes the missing relations must be asserted as axioms for proper 
handling of a shape analysis sentence. 
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1. s G Dom{Q), 



2. h< |e(s)|, and 

3. 0(s) \ h = a o {x (^{z)} o r I /i for some a. 

In an interpretation, rl{s) need not be r. The events that make up a 
strand's trace is all that matters. The protocol specific predicate P[r, h, x] is 
called a strand progress predicate, because it asserts a strand is compatible 
with an instance of role r of height at least h. 

The interpretation of the protocol independent predicates is straightfor- 
ward. 

• k,a\= prec{w , X , y , z) iff {a{w),a{x)) -< {a{y),a{z)). 

• k,a\= r\ou{y) iff a{y) E N. 

• k,a \= uniq(y) iff a{y) G U. 

• k,a \= orig(a;, y, z) iff a{x) G U and («(?/), Ci{z)) G Ok{a{x)). 

• k,a \= y = z i?i a{y) = a{z). 

• k,a ^ false. 

Theorem 1. Let )C{ko) = (X, $) and E = 3X<I>. Sentence E zs satisfied 
in k iff there is a homomorphism from ko to k, i.e. A; |= E iff 36 6: k^^ k. 

This theorem corrects the first of the two main results from [6], as that 
paper omits the orig predicate. A later paper includes the orig predicate [7j, 
using the symbol UnqAt. 

Proof. For the forward direction, assume a is a variable assignment for the 
variables in X such that /c, a |= $, and let Z be the sequence of strand 
variables constructed while generating $ from k^. Then the pair of maps 
5 = {a o Z,a) demonstrate a homomorphism from ko to k, i.e. each item in 
the definition of a skeleton homomorphism in Section |2] is satisfied. 

For the reverse direction, assume maps S = {(p, a) are such that 6: k^^ k. 
Then the desired variable assigment is 




(j){Z-^{x)) X G Ran{Z) 
(j{x) X G Dom{a). 



□ 
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Deducing Security Goals. A shape analysis (5j : ki is complete if for 

each realized skeleton k, 6: k^ k iS 3i,6' d': k^ i— k. There is an ongoing 
effort to show that whenever CPSA terminates it produces a complete shape 
analysis, however, preliminary analysis suggests that with the exception of 
specially constructed, artificial protocols, CPSA's output is complete. See 
Appendix |X] for an example of a troublesome artificial protocol. 

The next theorem captures the sense in which a shape analysis sentence 
characterizes a complete shape analysis. 

Theorem 2. Let di'. k^ ^ ki be a complete shape analysis. Then the shape 
analysis sentence S = : fco ki) is satisfied in all realized skeletons k, 
i.e. k \= T,. 

Proof. Shapes are minimal among realized skeletons, so there is no realized 
skeleton in the image of k that is not in the image of one of the shapes. 
Therefore, by Theorem [H the negation of the hypothesis of the implication 
is satisfied in all realized skeletons that are not in the image of ko, and the 
disjunction is satisfied in the remaining realized skeletons. □ 

Let S be the shape analysis sentence of a complete shape analysis and 
be a security goal. If E D \l/ is a theorem in order- sorted first-order logic, 
then is satisfied in all realized skeletons and its protocol achieves this goal. 



4 Detailed Example 

The simplified version of the Denning-Sacco key distribution protocol due 
to Bruno Blanchet is now revisited. 

A^B:{\{\s\}^-.h 
B^A: {\d\}s 

Symmetric key s is freshly generated, asymmetric keys and are un- 
compromised, and the goal of the protocol is to keep data d secret. This 
CPSA description of the protocol in Eq. [21 has an initiator and a responder 
role. 

inU{a,h: A,s: S,d: D) = 1}^, 
resp{a,b: A,s: S,d: D) = |},, 



12 



h = kx{{imt{ao, bo, sq, do), resp{ai, hi, si, di)}, 

{\{resp, 2, {ai i— )■ a, 61 i— )■ b, si 1— s, di (-)■ d})), 

0, 

{a-\b-'}, 
{s}) 

where X = a,b: A,s: S,d: D 
ki = ky({mit(ao, 60, so, do), resp{ai, bi,si, di)}, 

{\{resp, 2, {ai a, 61 6, si s, di d}), 
\{init, 1, {ao ^ a,bo ^ h' , so ^ s})) 
{(1,0)^(0,0)}, 
{a-\b~^}, 

{s}) 

where Y = a,b,b' : A, s: S,d: D 
5i = ((0), {a I— 7- a, 6 I— 7- 6, s (-7- s, d (-7- rf}) 



Protocol 
Instances 
Node orderings 
Non-origination 
Unique origination 

Protocol 
Instances 

Note bo is b' not b! 
Node orderings 
Non-origination 
Unique origination 



Figure 2: Shape Analysis for Blanchet's Protocol 

The protocol was constructed with a known flaw for expository purposes, 
and as a result the secret is exposed due to an authentication failure. The 
desired authentication goal is: 

Va,6: A,s: S,d: D,Zo: N( 

resp2^ai.Zo, 0) A resp^^b^^o, b) A resp^^^izo, s) A resp2^dizo, d) A 
non(a~^) A non(6~^) A uniq(s) D 3zi : N initi^i,{zi, b)) 

that is, when the responder (B) runs to completion, there is an initiator (A) 
that is using b for the encryption of its initial message. 

To investigate this goal, we ask CPSA to find out what other regular 
behaviors must occur when a responder runs to completion by giving CPSA 
skeleton ko in Figure |2J CPSA produces shape ki that shows that an initiator 
must run, but it need not use the same key to encrypt its first message. The 
shape analysis sentence for this scenario is displayed in Figure [31 Needless 
to say, the authentication goal cannot be deduced from this sentence due to 
the man-in-the-middle attack. If one repeats the analysis using the protocol 
in Eq. |21 the generated shape analysis sentence can be used to deduce the 
authentication goal. 
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Vao,6o: A, So: S,^: D,Zo: N( 

resp^^ai^o, ao) A resp^^i^o-, bo) A resp2^sizo, Sq) A resp^^di^o, do) A 

non(ao ^) A non(6o ^) A uniq(so) 

D 

301,61,62: A, si: S,di: D, 2:1, 22: N( 

= -21 A ao = 0-1 A 60 = ^1 A So = Si A (io = c^i A 
res^i2,a(^i) fli) A resp2^b{zi, hi) A res]92,s(^i, ^i) A resp^^di^i, di) A 
initi^a{z2, CLi) A initi^b{z2, 62) A initi^s{z2-, Si) A orig(si, Z2, 0) A 
prec(z2, 0, 2:1, 0) A non(a|f "'^) A non(&|f ^) A uniq(si))) 

Figure 3: Shape Analysis Sentence for Blanchet's Protocol 

5 Conclusion 

This paper presented a method for extracting a sentence that completely 
characterizes a run of CPSA and showed that logical deduction can then be 
used to determine if a security goal is satisfied. To ensure the fidelity of the 
translation between CPSA output and a shape analysis sentence, an order- 
sorted first-order logic is employed. Furthermore, the first-order language 
used for formulas is dictated by the CPSA syntax for skeletons and the for- 
malization of homomorphisms used by CPSA. 
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A Artificial Protocol 



This section presents an example of a protocol that causes CPSA to fail to 
produce a complete shape analysis. 

mit{a: A,d: D) = (+{|d|}a, — /«\ 
resp{x: T,d: D) = {—x,+d) 

The initiator in the protocol specifies half of a common authentication 
pattern. Assuming nonce d is freshly generated, and key is uncompro- 
mised, an execution of the protocol in which an instance of the initiator role 
runs to completion must include other regular behavior by a strand that 
possesses the decryption key a~^. 

It's the responder role that is artificial. Its first event is the reception of 
a message of any sort, and then it transmits a message of sort data. There 
are many ways in which an instance of the responder role can serve as the 
other half of the authentication pattern, such as: 

init resp init resp 
• *--< ^« or • ••• (8) 

• ^ • y^ • 

Yet consider an operational interpretation of the responder strand in 
Eq. IHl The role states that it first receives a message without knowing 
its structure, but the strand interprets that message as something it can 
decrypt and extracts the nonce. Formalizations based on an operation se- 
mantics, such as what is used for the Protocol Composition Logic [3], exclude 
the executions in Eq. El but there in nothing in Strand Space theory that 
prohibits those executions. 
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